New password advice from GCHQ

The GCHQ is the British equivalent of the NSA. They recently published a new document containing the GCHQ’s new password advice in light of the things we’ve learned in the last few years. It’s worthwhile reading, whether you’re a sysadmin or a web developer or just an end user who wants to stay secure online.

Some of the advice may be surprising.

Reusing passwords is sometimes OK

You probably don’t really need a 56-character password on your hobby forums, for example. You’re probably better off, in fact, using a fairly easy to remember password on things like hobby forums so you have the resources to remember better passwords for things that really matter. You do want to make sure you’re not using the same password on your hobby forum as you do on your e-mail, social media, to pay your bills, or anything of value. Forums are among the easiest places to steal passwords from, so you don’t want to burn a good one on those anyway.

Changing passwords doesn’t accomplish much

There’s a lot more value in monitoring for suspicious activity and intervening, and requiring a really strong password, than there is in making people change their passwords every 30 days. I do think we’ll need to change our passwords every 5-10 years, but I’ll tell you why in a bit.

Let me tell you a story of how making people change passwords too frequently can decrease security. Years ago, I was working on a U.S. military contract, and they created a draconian password policy. Making matters worse, one of the policy wonks decided to take it upon herself to make the policy a lot worse. Her misguided theory was that a password that’s hard to come up with is more secure than one that isn’t.

So we’d create passwords, try to follow her policy, and get the password rejected, but never with any feedback from the system about what, exactly, it objected to. As a result, it took 30-45 minutes to come up with a password. So what happened every month was that someone’s password would expire, and you’d hear that someone furiously typing on the keyboard for 45 minutes, growing ever more furious over time, until it mercifully ended with the words, “Found one!” Then he would write the password down, put it on his desk, and go for coffee.

By the time he got back, everyone in the office but me was using that password. I came up with a formula that got past her requirements often enough that I could come up with my own passwords. But this inhumane policy didn’t work. She meant to increase security. But our system became dramatically less secure, because password sharing became rampant.

Using four random dictionary words as a password may be OK

Need a password? Start by grabbing a book. Pick one random word off a random page, and repeat three times.

Before we talk about the math, we’ll talk about the method. Grab a book. Turn to a random page. Pick a word. Repeat three times. Those four words are your password.

That shouldn’t make a good password. But the math works.

This makes me uncomfortable due to algorithmic password guessing–a 32-character password of four words doesn’t have 32 rounds of entropy. It has four. So let’s work through the problem together–there are 470,000 words in Webster’s Dictionary. If you don’t reuse the words, that means there are 470000*469999*469998*469997 possible combinations, which works out to 4.9E+22 possibilities. If you limit yourself to 100,000 common words, that still works out to 9.994E+19 possibilities.

Password cracking rigs keep getting faster and it’s hard to find what the fastest one is right now. But I found someone who built a rig in 2015 who claims he can try 306 billion passwords in an hour. So we’ll go with that since the hardware does indeed keep getting faster and the software keeps getting better too. At that rate, it will take 18,203,728,723 years to guess all of them. What if you limit yourself to combinations of the 100,000 common words? It will take 37,303,399 years to guess all of them with current technology.

Here’s the caveat: Based on the difference in password cracking speed from 2013 to today, I do believe in 10-12 years it will be possible to crack four-word passwords in a reasonable length of time. Perhaps six months. That assumes the technology we use to store passwords stands still. If we start hashing our passwords well and continue to improve that, we can keep password life expectancy at a few orders of magnitude longer than a human life at any given point in time.

Keep in mind we decided about 15 years ago that running processes as root was a bad idea, and some companies continue to do it anyway, so I won’t hold my breath on that. I think in 2025 we’ll still have some websites using 1999 MD5 technology against attackers with 2025 technology. That’s rather like a P-51 Mustang trying to dogfight an F-4 Phantom–it’s not going to end well.

To compensate, I think we’ll need to add a word every 5-10 years to our password lengths. And no, I’m not willing to bet anything of value that passwords will be gone in 10 years. For now, a random 4-word password provides adequate protection against dictionary attacks.

Store passwords securely

Here’s the advice for developers. GCHQ explicitly recommends using PBKDF2 to store password hashes. The important thing to remember is to use a tested public standard. Don’t try to come up with something on your own. Many instances of password databases getting breached involved clever schemes that were flawed in such a way as to make them a few orders of magnitude weaker than they seemed. The safest bet when dealing with cryptography is to use a public standard. And not only that, whenever possible, use a public implementation of that standard. That way, your password database remains decryption-resistant in the event of a breach.